Splunk Search

How do I locate the latest event and have all the fields in that event available to me?

smaloney99
New Member

I am using the following query to locate the latest event with the field EVENTREF = 50184 or 50185. I believe the correct event is being returned by the stats command but it is not returning all the fields in the returned event for reporting purposes.

Any suggestions?

EVENTREF=50184 OR EVENTREF=50185 | stats latest(EVENTREF) as LatestEvent by TVMREF

0 Karma
1 Solution

richgalloway
SplunkTrust
SplunkTrust

Try this

EVENTREF=50184 OR EVENTREF=50185 | stats latest(EVENTREF) as LatestEvent, values(EVENTREF) as Events by TVMREF
---
If this reply helps you, Karma would be appreciated.

View solution in original post

0 Karma

richgalloway
SplunkTrust
SplunkTrust

Try this

EVENTREF=50184 OR EVENTREF=50185 | stats latest(EVENTREF) as LatestEvent, values(EVENTREF) as Events by TVMREF
---
If this reply helps you, Karma would be appreciated.
0 Karma

smaloney99
New Member

Thank you! Using 'values' for any field I'd like to access is doing the trick.

0 Karma

richgalloway
SplunkTrust
SplunkTrust

Please accept the answer.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Get Updates on the Splunk Community!

New Dates, New City: Save the Date for .conf25!

Wake up, babe! New .conf25 dates AND location just dropped!! That's right, this year, .conf25 is taking place ...

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud  In today’s fast-paced digital ...

Observability protocols to know about

Observability protocols define the specifications or formats for collecting, encoding, transporting, and ...